Migrating a Kerberos Realm

Ken Raeburn raeburn at MIT.EDU
Thu Nov 2 23:14:31 EST 2006


On Nov 2, 2006, at 17:48, Henry B. Hotz wrote:
> OTOH, it sounds like a fun idea to me.  Do the cryptosystem RFC's  
> specify the default salt?

Actually, the default salt, derived from the realm and principal  
name, is specified in the main Kerberos protocol document, and is  
invariant across cryptosystems; the cryptosystem RFCs don't know  
anything about principal names or realm names.  What gets done with  
the salt string is defined per cryptosystem, though.

Using a fixed per-principal salt string allows an attacker to convert  
a standard password-cracking dictionary into a set of keys for a  
given principal, and try that set of keys repeatedly despite the user  
changing her password.  If the salt string (which is supposed to be  
UTF-8 if I recall correctly) is randomized and long enough, then any  
key of N bits should be possible[*] even if the password is in the  
dictionary, and the attacker can only precompute his key list for a  
given salt string.  So it's probably worth considering despite the  
bugs of one implementation.

Ken

[*] Assuming the cryptosystem actually uses the salt string, and  
incorporates it properly, of course.  The RC4 cryptosystem, for  
example, does not use it, and thus the key is derived from the  
password alone, and a dictionary can be converted to keys that can be  
tried for any user in any realm.



More information about the Kerberos mailing list